Viewing Ids Alarms - AudioCodes Mediant 4000 SBC User Manual
Hide thumbs
Also See for Mediant 4000 SBC:
- User manual (1037 pages) ,
- Hardware installation manual (40 pages) ,
- User manual (822 pages)
Table of Contents
Advertisement
Parameter
Policy
policy
[IDSMatch_Policy]
13.3.4 Viewing IDS Alarms
For the IDS feature, the device sends the following SNMP traps:
Traps that notify the detection of malicious attacks:
•
acIDSPolicyAlarm: The device sends this alarm whenever a threshold of a
specific IDS Policy rule is crossed. The trap displays the crossed severity
threshold (Minor or Major), IDS Policy and IDS Rule, and the IDS Policy-Match
index.
•
acIDSThresholdCrossNotification: The device sends this event for each scope
(IP address) that crosses the threshold. In addition to the crossed severity
threshold (Minor or Major) of the IDS Policy-Match index, this event shows the IP
address (or IP address:port) of the malicious attacker.
If the severity level is raised, the alarm of the former severity is cleared and the
device sends a new alarm with the new severity. The alarm is cleared after a
user-defined period (configured by the ini file parameter, IDSAlarmClearPeriod)
during which no thresholds have been crossed. However, this "quiet" period must
be at least twice the 'Threshold Window' value (configured in ''Configuring IDS
Policies'' on page 162). For example, if you set IDSAlarmClearPeriod to 20 sec
and 'Threshold Window' to 15 sec, the IDSAlarmClearPeriod parameter is
ignored and the alarm is cleared only after 30 seconds (2 x 15 sec).
The figure below displays an example of IDS alarms in the Active Alarms table
(''Viewing Active Alarms'' on page 623). In this example, a Minor threshold alarm
is cleared and replaced by a Major threshold alarm:
acIDSBlacklistNotification event: The device sends this event whenever an attacker
(remote host at IP address and/or port) is added to or removed from the blacklist.
You can also view IDS alarms through CLI:
To view all active IDS alarms:
# show voip ids active-alarm all
To view all IP addresses that have crossed the threshold for an active IDS alarm:
# show voip ids active-alarm match <IDS Match Policy ID> rule <IDS Rule ID>
The IP address is displayed only if the 'Threshold Scope' parameter is set to IP or
IP+Port; otherwise, only the alarm is displayed.
To view the blacklist:
# show voip ids blacklist active
For example:
Active blacklist entries:
10.33.5.110(NI:0) remaining 00h:00m:10s in blacklist
User's Manual
Assigns an IDS Policy (configured in ''Configuring IDS Policies'' on
page 162).
Figure 13-8: IDS Alarms in Active Alarms Table
168
Mediant 4000 SBC
Description
Document #: LTRT-41729
Advertisement
Table of Contents
